CVE-2021-41131: Client metadata path-traversal
(updated )
In both clients (tuf/client
and tuf/ngclient
), there is a path traversal vulnerability that in the worst case can overwrite files ending in .json
anywhere on the client system on a call to get_one_valid_targetinfo()
. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie ../../name.json
).
The impact is mitigated by a few facts:
- It only affects implementations that allow arbitrary rolename selection for delegated targets metadata
- The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata
- The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json.
References
- github.com/advisories/GHSA-wjw6-2cqr-j4qr
- github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2021-376.yaml
- github.com/theupdateframework/python-tuf
- github.com/theupdateframework/python-tuf/commit/4ad7ae48fda594b640139c3b7eae21ed5155a102
- github.com/theupdateframework/python-tuf/issues/1527
- github.com/theupdateframework/python-tuf/security/advisories/GHSA-wjw6-2cqr-j4qr
- nvd.nist.gov/vuln/detail/CVE-2021-41131
Detect and mitigate CVE-2021-41131 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →